- From: Chris Drake <christopher@pobox.com>
- Date: Sat, 17 Jun 2006 14:49:41 +1000
- To: "James A. Donald" <jamesd@echeque.com>
- CC: practicalsecurity@hbarel.com, public-usable-authentication@w3.org
Hi James, SpamAssassin is probably the most widespread filter deployed, and it uses SPF for sure (probably DK too I think). The two most effective commercial solutions (Brightmail and the other one - I forget it's name right now) both feed from SPF information as well - so even though you might *think* nobody's using SPF - in reality - almost everyone is using it, as part of their spam scoring systems. You're not wrong though - all authentication schemes are being actively avoided by every responsible ISP, because when they activate these schemes - they find they they are preventing their own customers from being able to get emails through to recipients. If an ISPs customer wants to sned an email form their own address when not using the ISP's mail server - it's going to get rejected if the ISP has SPF etc in place (unless the customer knows how to use SRS). As a responsible ISP - ensuring your own customer emails reach their target is a much higher priority than helping to stop random strangers who are not your customers from receiving spam that forged the ISPs domain. Why would anyone in their right mind do harm to their *customers* in order to help **strangers**??? THAT's the reason none of this stuff is widely deployed - it's got little to do with filter tools. Spammers made email annoying. Anti-Spammers have made email unreliable. The latter have done significantly more harm than the former. Kind Regards, Chris Drake Saturday, June 17, 2006, 1:34:02 PM, you wrote: JAD> -- JAD> Why SPF and DK are not being used: JAD> Obviously, domains have no incentive to use SPF and/or JAD> DK unless email recipients filter on SPF and DK JAD> But users do not. JAD> Largely because they cannot. There are no filter tools JAD> that make good use of SPF and DK information. There are JAD> filter tools, but they are research demonstrations, JAD> rather than actually useful in reducing the spam in my JAD> inbox. JAD> What the filter should do, is as part of Bayesian JAD> filtering, observe that some messages get marked as JAD> spam, and others as ham, and conclude that if some mail JAD> that provably arrives from certain domains is ham, all JAD> mail that provably arrives from those domains is JAD> probably ham, generating a list of known good domains JAD> which it then uses to guess which emails are ham. It JAD> should also observe what domains usually provide JAD> evidence that email came from the domain it appeared to JAD> come from, and conclude that email without such JAD> evidence, purportedly coming from a domain that usually JAD> provides such evidence, is probably forged, therefore JAD> probably spam. SPF and DK information needs to be JAD> integrated with all other available information for JAD> filtering mail. JAD> The widespread deployment of such filters would give JAD> mail server administrators reason to support SPF and DK. JAD> They would DK their outgoing mail in order to get their JAD> domain on the known good list. At present they have no JAD> such incentive, and so are not supporting SPF or DK. JAD> --digsig JAD> James A. Donald JAD> 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG JAD> CAbCqOSgym8Up02XNnb1alzFW4VBYsBpa/7xjkfS JAD> 4pjb+C/KVowMqXdI49IgPIpZ4kB3ulWsslp3qz+jm
Received on Saturday, 17 June 2006 04:49:57 UTC